Stats as Percentages Of Total

HeinzWaescher · ‎11-12-2013

Hi,

I have a search like this:

search... | fields + user, country| stats dc(user) AS Users by country | sort - Users

The result is a table like this:

Country A - 1000

Country B - 500

Country C - 500

Is there an easy way to display the share per country in %?

Country A - 50

Country B - 25

Country C - 25

sansay · ‎06-12-2014

The corrected query is:

search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country, totalcount | eval countrypercent=Users/totalcount*100 | sort - Users

The problem with the original query is that it didn't pass totalcount in the stats statement.
So the percentage could not be calculated.

Ayn · ‎11-12-2013

You can calculate a total distinct count and then divide your Users value by this to get a percentage.

search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country | eval countrypercent=Users/totalcount*100 | sort - Users

GeorgeStarkey · ‎12-02-2016

I downvoted this post because refined query in later post solves the problem.

HeinzWaescher · ‎11-12-2013

It looks like this now:

search...| fields + user

| eventstats dc(user) as totalcount
| stats dc(user) AS Users by Country
| eval countrypercent=Users/totalcount*100

This results in the original table including the total counts per Country. I also tried out to find the entries for totalcount with "| table totalcount". But there are no results

Ayn · ‎11-12-2013

Neither eventstats nor eval filter events in any way so I suspect you're doing some other error. What does your search look like now?

HeinzWaescher · ‎11-12-2013

Hey,

i tried this out, but Splunk tells me "no results found" after adding the eventstats & eval command.

Stats as Percentages Of Total

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!